What Is Meant by “Tenet Admin”?

Let’s assume you are working on a new project with a team of 10 Information Technology professionals.

A company (let’s call it Nickison II, LLC) is buying part of another company (we’ll call this company Marty’s). The deal includes a total transfer of ownership for six applications. Let’s call these applications Quickbooks Desktop, WordPress (local install and configuration], Office 365, Dynamics CRM, Microsoft SQL Server 2016, and Teams (with the phone service add-on).

The team is now assembled, and the work on planning begins. Everyone (including yourself) is excited to start this major company initiative.

In the initial discussions, the election of tenet admins takes place. No one volunteers for the task, so you and the resident Microsoft Azure cloud guru are nominated to be tenet admins.

You are now thinking, “What in the world did I just get signed up for?!”

The good news is this:
What you need to accomplish this task is not work-intensive.

The bad news is this:
Once you become a tenet admin, you have the rights to do almost ANYTHING in the tenet rights assignment arena … and with such privilege comes massive amounts of responsibility and accountability.

So, what exactly is meant by “tenet admin”?

Basically, you will grant rights in the Microsoft Azure tenet to assign rights to any resource (people, deployment, services, and so much more) and be able to change the assignment rights level at any time as you wish. In most cases, your user account to the specific Azure tenet will have its rights increased to Owner role access (in some more restrictive deployments, the account will be elevated to co-contributor level).

So, in essence, you have volunteered to be a top-level admin for the tenet.

Others will now call you when new account access to the tenet needs to be established (for new users or services). Additionally, expect to have emails sent to you when access needs to be adjusted or removed. The latter, for example, could be the result of people leaving the project or company altogether.

To be frank, a tenet admin is someone who has owner or co-contributor access to a tenet. With this right in place, the person in question can now administer access to the tenet.

What Is the Meaning of “Lift and Shift”?

Picture this:

You are working with a team of people tasked with migrating the supply chain servers and related applications, databases, websites, and more from the datacenter in Atlanta, Georgia, to a Microsoft Azure tenet. There are ten servers in total, and all were built in 2020. They each:

Run Windows Server 2019 Datacenter
Are Dell PowerEdge R820 16-Bay Servers containing four 2.20Ghz E5-4607 Six Core Processors and a total of 64 GB of Memory
Have a local RAID-5 configuration of two sets, each of 3 drives per set of 500MB SSDs for a total of 2 logical drives per server, each having 1TB of logical space

It is determined that we will use the Azure Migrate Tool to move each server to a suitable Azure VM in the new tenet named ‘Supply_Chain_202202.’

The latest information pertaining to this migration is that it will be a ‘lift and shift’ for all ten servers.

So, the grand question is:
What is the meaning of ‘lift and shift’?

Let’s assume for the sake of clarification that you have a portable fireproof safety box (like a SentrySafe 1200 Fireproof Box) which contains twenty 100-USD bills and ten 500-EUR bills. You have to move all the bills (USD and EUR) to a storage facility owned by a national conglomerate.

In the example above, taking the locked SentrySafe 1200 to the storage facility and locking the box with the bills inside the storage facility is ‘lift and shifting’ the dollar bills. The other main methodology is ‘re-homing,’ which is taking the dollar bills out of the SentrySafe 1200 and placing the bills by themselves directly into the storage space.

Essentially, ‘lift and shift’ is moving the server ‘in one whole piece’ to the new location (in this case, Microsoft Azure). In this instance, it can be done using the Azure Migrate Tool process.

To clarify, ‘lift and shift’ moves the complete entity as one piece, while ‘re-homing’ refers to creating a new entity in the new location and just shifting the data and configurations.

What Is Meant By “Control of the Tenet”?

One of the more commonly-discussed ideas in the migration space is “control of the tenet.” However, there is not a lot of discussion about this important aspect of Microsoft Azure migration in courses. Let’s fix that deficiency by discussing what control of the tenet means in-depth.

First, a tenet is an instance of Azure AD combined with the resources that utilize this specific Azure Active Directory instance. For each tenet in the Microsoft Azure cloud, there exists a Microsoft Azure Active Directory instance that is specifically allocated to it. All the resources (virtual machines, network security groups, M365 [Office 365], etc.) that are related to that Azure AD instance are also built as resources (members) of the tenet.

Now that we understand what a tenet is, we can quickly discuss what is meant by control of the tenet. Let me start with a short story.

Imagine you decided to learn more about Microsoft Azure. You have a credit card and sign-up for the free tier (a small subset of all the available resources in Azure that you can use for free). You name the subscription. Furthermore, you set up billing so that when the monthly bill reaches $20 USD (by accident), all the resources are turned off for the month. You are quite the cost-conscious person!

You want to share your work with three fellow IT technicians who are also learning more in Azure. You have their email addresses and full names, so you create three new Azure Active Directory guest accounts.

The next question is:
How will rights in this tenet be assigned?

You need to have ‘owner’ and ‘co-contributor’ user Role-Based Access Controls (RBAC) set up and add each account to the subscription. How will you set this up?

When we discuss control of the tenet, we refer to the person who will have owner user RBAC rights and Global Administrator resource rights in the Azure AD. In this instance, you decide that you alone will have control of the tenet. All of the other technicians will each have ‘co-contributor’ user RBAC with all the subscriptions added to their accounts with the Azure AD resource role set to ‘Global Reader.’

In this way, your colleagues can see all the data yet be unable to change it. Only you will have the right to change things across the board.

So, simply stated, control of the tenet refers to the person/people who can make any changes in the Azure tenet they desire and get the changes to save and be implemented.

This question will be important for any migrations to Microsoft Azure you run into. Who will have control of the tenet? Will it be the CISO (Cyber Security Chief Officer), CIO (Chief in Information Technology department), the Cloud Administration team or the IT Support team? Or will it perhaps be the IT Management or even a third-party MSP (Managed Services Provider)?

The answer is contingent on the perspectives of all the stakeholders.